How to modify Weblogic Default Roles and Policies

This post is basically screenshots that demonstrates how to modify the existing roles and policies in Weblogic. We mostly have our users and groups in LDAP/ Database Servers. We integrate them with WLS for authentication purpose by configuring the authenticators. If we want to assign certain default roles, we can do it following the screenshots below. As a example I am assigning Admin role to TestGroup from the database.

In Summary we need to do this

Home > Summary of Security Realms > myrealm > Realm Roles > Expand Global Roles > Expand Roles > Click View Role Conditions under Role Policy of Admin > Clieck Add Conditions > Select a Group/User from the predicate list > In the Group/User Argument Name provide the name (of AD User/Group) and clieck Add , Click Finish > Click Save




33 comments

  1. Hi,

    I have the below servers in my domain, my WebLogic Server Version is : 10.3.2.0.

    AdminServer
    ManageServer

    I want to create a test user , who should have privilege to start/stop Manage Server only.

    Is this possible?

    Thanks in Advance!
    vicky

    1. Its possbible!

      Try the steps below

      Go to Managed Server > Security [Policies] > From the Administrator methods Select boot/shutdown >Click on Add Conditions > In the Predicate List select User > Add the username from which you want to start/stop the managed instance and Save the changes.

      Thanks for posting,
      -Faisal

  2. Thanks Faisal,

    I have tied these steps already!

    I want this user to login the admin console and start/stop the server from there. For this I gave the user Operator role.
    Now I am able to do so, also I can start stop the server but the problem is this user also can stop other servers…

    I am not very sure how do I get over with this problem.

    Regards,
    Vicky

  3. U can start the Servers in many more ways than starting from the console.

    U can use the ADMIN Utility, WLST, JMX.. assign roles & policies to different users to start different servers.

    Let me know what you think.

    Thanks
    Faisal Khan

  4. Hello,

    I have a query.

    There are two users userA and userB, and there are two services
    1) JMS 2) DATASOURCE.

    Now userA should only be able to monitor JMS resource and userb should only be able to monitor DATASOURCE.

    Here the challenge is that if we give monitor role to the users than they will be able to monitor everything, but i want them to monitor only the specific things as mentioned above.

    Is this possible? thanks in Advance.

    Regards,
    Kevin

  5. The WebLogic instance is connected to Active Directory using the ADProvider provided by oracle. We observe random missing of group information for an authenticated user. We cross-checked the AD config at the time of missing and sure that the group does exists, but just when we tried to determine the group information in our code, the group seemed disappeared with no reason. We can always workaround the problem temporarily by restarting the instance, however the same thing occurred again after some time and randomly on different group.

    Could you please help me in this?

    1. Hi Jetendra,

      I am not sure why this happens. An AD Administrator will be able to guide you better.

      Thanks,
      Faisal

  6. Is it possible to create a user or role with privileges only to install, start, stop and delete applications. This user must not have full administrative privileges.

  7. Thank Faisal !!!
    I used the method given above. I gave the admin role to one of the group ( say abc ). I am a member of that group and when I am trying to login using my LDAP id and passowrd. I am getting Authentication denied. Please let me know if you have any thoughts to implement.

  8. Hi Faisal
    I tried the exact steps you showed up. I give the admin roles to a group called xyz. I am a member of that group. But when I am trying to log into the console using my LDAP id and password I am getting Authentication Denied.
    Do you know the possible reasons and solution behind it.
    Also, I can see 1000 user and 1000 Group exported to weblogic console from LDAP. And when i give the admin role to one of the user which I am seeing from LDAP, it works. I can log in with the LDAP ID and password. But the group thing is not working.
    Please help me out.

  9. And any idea where the changes will be saved? I couldn’t see them in config.xml? In config.xml it is not maintaing any users,groups and roles and policies information? Then how weblogic managing this?

    1. Weblogic Server stores the users and group in the embedded ldap servers.
      The files are stored in the Server\data\ldap folder.

  10. Do we have to configure someting else if we are giving the admin roles to a group called ‘ABC’ if the ABC group resides in external LDAP. Not a local LDAP.

  11. Hi,
    I added the MS active directory user to Admin global role( the role that Administartors Group already have by default) but this AD user is not able to login the weblogic console.
    Can someone help me

  12. Here is an easy way to add the Global Role and assign condition to it (Group Condition):

    try:
    cd(‘SecurityConfiguration/’ + domainName + ‘/DefaultRealm/myrealm/RoleMappers/XACMLRoleMapper’);
    if(cmo.roleExists(”,myrole)):
    print “### Role”, myrole, “already exists on server”, serverUrl;
    print “###”, cmo.getRole(”, myrole);
    else:
    cmo.createRole(None, myrole, ‘Grp(‘ + mygroup + ‘)’);
    print “### Role”, myrole, “successfully added on server”, serverUrl;
    print “###”, cmo.getRole(”, myrole);
    except:
    print “#### Exception occured while adding Role on server”, serverUrl;
    dumpStack();

  13. HI Faisal,

    Can you please explain me how we can implement the user management through the roles?
    We are having more than 100 users who are accessing to the Oracle IPM Managed server with different permissions. These permissions are granted using weblogic groups.
    Since we are looking for AD integration we cannot use groups any more.
    How can i implement use based role and how ca i apply to users ???

    Thank you in advance…

    1. Hi Nirmani,

      You can modify the existing Weblogic Roles or create new roles and map to users in the AD.

      Regards,
      Faisal

  14. if any password policy can be enforced to change password every 180 days for weblogic users or it would need to be tracked manually?

  15. Hi,

    I need to create a role/group for a group of users who will be able to reset the password for the existing users under Summary of security realms>my realm> users and groups>.
    How can I do this?
    If I create a new group, how can I give them the access to reset the password for the users only?

    Thanks,
    Nabanita

    1. Hi Nabanita.. i think you will have to find the usereditor mbean and assign policies on that mbean..

  16. I want to map an active directory group to BI administrator application role.
    Can you please help me with this.

Leave a Reply